-
漏洞描述

Beck IPC GmbH IPC@Chip Telnet Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the server sends a different response when provided an invalid versus a valid username, which may allow a remote attacker to enumerate user accounts resulting in a loss of confidentiality.

-
时间线

公开日期:
2001-05-24

发现日期:
Unknow

利用日期:2001-05-24

解决日期:2001-06-01

-
解决方案

Contact the vendor for an upgrade. An upgrade is required as there are no known workarounds.

-
漏洞作者

-
漏洞信息

漏洞作者:
Reported to bugtraq by Siberian <i.am.a@x-men.com> on May 24, 2001.

-
受影响的程序版本

Beck IPC GmbH IPC@CHIP Embedded-Webserver

-
漏洞讨论

The IPC@Chip is a single-chip embedded webserver from Beck GmbH.

The device's inbuilt telnetd service may allow a remote user to confirm names of valid telnet accounts.

When an attacker attempts to login to the telnet service with a given user ID, the attacker receives a prompt for the password only if the supplied account name exists. This confirms for the attacker that the given ID is valid.

In combination with brute-force password techniques, to which this device is reportedly vulnerable, this can permit a remote attacker to compromise arbitrary accounts on the system. Properly exploited, this can lead to a compromise of the device's normal operation.

-
漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

-
解决方案

The vendor reports that this has been fixed, and that a "test version is available upon request."